Doctors can change doctor's profile photo

FirstBlood-#1455 — Doctors can change doctor's profile photo
This issue was discovered on FirstBlood v3

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2022-12-10, 0xblackbird Level 5 reported:


Summary:
Hi!
I found out with @ayush1098 that authenticated users can change other doctor's profile photos by supplying the photoUrl parameter. This shouldn't be possible as stated below.
Possible cause:
The developers might have underestimated that the API can also be invoked directly and that the parameter could be guessed.
Impact:
Any authenticated user can change the profile photo of another doctor.
Steps to reproduce:
1) Login using the default credentials: admin:admin
2) Replicate the following request
POST /drpanel/drapi/edit-dr.php HTTP/1.1
Host: {HOST}
Cookie: drps={SESS_COOKIE}
Content-Type: application/x-www-form-urlencoded
Content-Length: 127
drid=1&name=test&bio=&bookable=0&photoUri={PATH}
3) Once sent, the profile URL must be changed, you can cross-check this by visiting /meet_drs.php or /drpanel/edit-doctor.php?id=1

Mitigation:
I recommend not accepting the photoUrl parameter anymore.
Have a nice a day!
Kind regards,
0xblackbird

This report has been publicly disclosed for everyone to view

P4 Low

Endpoint: /drpanel/drapi/edit-dr.php

Parameter: photoUrl

Payload: {PATH}

FirstBlood ID: 61
Vulnerability Type: Application/Business Logic

It mentions that doctor photos can NOT be modified but it is actually possible to modify them

BugBountyHunter

Summary:

Possible cause:

Impact:

Steps to reproduce:

Mitigation: